[cap-talk] Abstractions that subsume capabilities
Sandro Magi
naasking at higherlogics.com
Wed Mar 12 10:28:24 EDT 2008
Richard Uhtenwoldt wrote:
> From: "Richard Underwood/Uhtenwoldt" <ru at sonic.net>
>
> Kevin "performs surgery" on the following simple Haskell
> program to give it "the capability nature":
>
> main = do
> s <- readFile "/etc/passwd"
> hPrint stdout s
>
> But the above code does not need to be changed to be good,
> attack-resistant code.
The problem here is the ambient access to the global file system. What
gives 'main' the right to open "/etc/passwd/"? This right is not derived
from anything explicitly given to 'main', thus it is an ambient authority.
The suggestions made thus far were to close this hole. I think Haskell's
mistake here is the I/O signatures and main's in particular: IO ().
At a coarse granularity, they should be:
main :: World -> IO ()
openFile :: World -> FilePath -> IOMode -> IO Handle
Sandro
More information about the cap-talk
mailing list